Re: [VOTE] Secure Session Module Options/Internal by Default

From:	Yasuo Ohgaki	Date:	Tue, 18 Feb 2014 00:13:18 +0000
Subject:	Re: [VOTE] Secure Session Module Options/Internal by Default
References:	1 2 3	Groups:	php.internals
Request:	Send a blank email to [email protected] to get a copy of this message

Hi Andrey,

On Mon, Feb 17, 2014 at 10:22 PM, Andrey Andreev <[email protected]> wrote:

> This still doesn't explain how it would work.
> And why is it necessary as a setting instead of auto-detecting it? The
> valid length should be easy to calculate.
>

Valid length is easy to detect as well as valid chars.
Current session module only detects and discards "if session has invalid
chars"
i.e. Invalid chars are only few chars. Stricter check is up to session save
handlers.
http://lxr.php.net/xref/PHP_5_6/ext/session/session.c#1605
(It would be better to have stricter check in module. IMO. It's BC...)

Length check is trivial, then why not check  and discard by module instead
of
accepting invalid session ID and let users check and discard? It addresses
bug
like null session ID raises annoying error also.

Timing attack could be done with liner directory search. With liner
directory
search, file names are compared one by one, character by character.
Therefore,
attacker can exploit timing if sent session ID matches or not.

Modern file systems like ext4 have htree that hashes file names. Timing
cannot be
used such file systems because it is the same as "hash strings, then
compare".
Characters are not compared one by one.

XFS uses B+tree. B+tree is one by one comparison basically. B+tree would be
harder to exploit since its structure may change a lot during attack, but
it might
be vulnerable if attacker considers tree structure change during attack.
i.e. Tree
structure may change after GC or new sessions are added. (This is also
applicable to liner directory search file system. Structure change is more
obvious
and easy to handle with simple liner search.)

There is threat and it could be removed with length check.
Let's have the check and forget about timing attack!

Regards,

P.S. The reason why Python adopts "hash comparison" with ==/=== is the
same reason, I suppose. PHP 5.6 may do the same or similar, and forget
about timing attack.

--
Yasuo Ohgaki
[email protected]


   

Thread (19 messages)

• Andrey AndreevMon, 17 Feb 2014 08:11:35 +0000
  • Yasuo OhgakiMon, 17 Feb 2014 09:40:37 +0000
    • Andrey AndreevMon, 17 Feb 2014 13:22:37 +0000
      • Yasuo OhgakiTue, 18 Feb 2014 00:13:18 +0000
        • Stas MalyshevTue, 18 Feb 2014 00:40:22 +0000
          • Yasuo OhgakiTue, 18 Feb 2014 01:46:31 +0000
            • Stas MalyshevTue, 18 Feb 2014 04:11:15 +0000
              • Yasuo OhgakiTue, 18 Feb 2014 10:42:39 +0000
            • Andrey AndreevThu, 20 Feb 2014 13:03:49 +0000
              • Yasuo OhgakiThu, 20 Feb 2014 21:17:12 +0000
                • Andrey AndreevFri, 21 Feb 2014 11:25:24 +0000
                  • Ferenc KovacsMon, 24 Feb 2014 09:31:57 +0000
                    • Yasuo OhgakiMon, 24 Feb 2014 09:34:06 +0000
                  • Yasuo OhgakiMon, 24 Feb 2014 09:31:37 +0000
                    • Andrey AndreevMon, 24 Feb 2014 09:50:31 +0000
                      • Yasuo OhgakiMon, 24 Feb 2014 10:00:07 +0000
                        • Andrey AndreevMon, 24 Feb 2014 13:40:30 +0000
                        • Marcel AraujoMon, 24 Feb 2014 14:05:31 +0000
                          • Rouven WeßlingMon, 24 Feb 2014 14:09:40 +0000